[Samba] Samba and LDAP backend - howto docs problems?

Adam Williams adam at morrison-ind.com
Wed Mar 10 19:06:28 GMT 2004

> > We feel your learning curve pain with you. How can we solve this? What
> > specifically should be done to eliminate the pain? Who should do this and
> > how?
> "Simplify simply simplify" - Henry David Thoreau.
> > You are assuming that Samba only needs to work with OpenLDAP.
> [root at dungeon root]# rpm -q -f /etc/ldap.conf
> nss_ldap-207-5
> The config file to which I refer is part of nss_ldap, and has nothing to 
> do with OpenLDAP whatsoever.

And some platforms (AIX and others) don't have that file at all.

One possible solution is the use of SRV records.  NSS supports these for
automatically locating the appropriate DSA(s), in which case
/etc/ldap.conf can be eliminated altogether.

Hey, why can't Samba locate a DSA using SRV and load it's entire config
from the DSA? :)  And eliminate smb.conf.

> > assuming that ALL OpenLDAP configurations use the same directory
> > structure. Too many assumptions. How can we implement a universal
> > solution? What must we do to arrive at nirvana?
> 1) Eliminate the duplication through the use of sensible defaults.
> A sensible default for most of the LDAP setup is to read it from 
> /etc/ldap.conf, or wherever else this file lives on other platforms.

If your on Linux using OpenLDAP libraries installed from standard
packages.    That would be a suprisingly small percentage of cases I

> None of the ldap config directives appear in the default smb.conf file 
> as shipped with v3.0.2 (which could be Redhat's idea, I don't know). So 
> to set up LDAP, it's off to the HOWTO.

Yep, that default file is the distributions thing.  

> An example of such a config appears in the HOWTO, but it's incomplete, 
> as it excludes any mention of the "add * script" parameters. The first 
> time I heard they existed was when you asked if I had set them up on 
> this list.

I'm just have to disagree, I think the add * scripts are features rather
prominantely in the HOWTO collection.

> >>And you are assuming they are different. Why should the system be any
> >>more complex than it needs to be?

Security.  NSS has no reason to ever modify the DSA contents,  Samba
does - that alone makes them radically different.

> How many sites has Samba lost simply because the admin couldn't get 
> their head around the software in a reasonable amount of time? There are 
> other solutions available in the marketplace, with their own advantages 
> and disadvantages.

Just FYI,  I spent six months just reading and studying LDAP, then nine
months just building the directory services infrastructure, and THEN
added Samba (that was 2.2.1a + a patch, the first LDAP enabled Samba). 
And I though that timeline was pretty tight.    This is not simple
stuff,  lots of NT admins are still fighting with the migration to
Active Directory, and ask any old Novell-ites about the move to NDS.

More information about the samba mailing list